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Abstract 

This paper investigates the supervisory control of nondeterministic discrete 
event systems to enforce bisimilarity with respect to deterministic specifications. 
A notion of synchronous simulation-based controllability is introduced as a neces- 
sary and sufficient condition for the existence of a bisimilarity enforcing supervi- 
sor, and a polynomial algorithm is developed to verify such a condition. When the 
existence condition holds, a supervisor achieving bisimulation equivalence is con- 
structed. Furthermore, when the existence condition does not hold, two different 
methods are provided for synthesizing maximal permissive sub-specifications. 
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1. INTRODUCTION 



The notion of bisimulation introduced by iMilnen ( 1989b has b een successfully 



used as a be havior e quivalence in model checking (|Clarkel ll997). sof tware verifi 
cation (.Chaki et a l.U200 4) and formal analysis of continuous (Ta buada & Pappas . 



2004 . hybrid (JTabuada et all |2004) and discrete event systems (DESs). What 



makes bisimulation appealing is its capability in complexity mitigation and branch- 
ing behavior preservation, specially when we deal with large scale distributed and 
concurrent systems such as multi-robot cooperative tasking, networked embedded 
systems, and traffic management. 

Therefore, recent years have s een increasing research acti v ities in employing 



bisimulation to DESs. References (|Barrett & Lafortunelll998|) . (|Komenda & van Schuppenl . 
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2005h and (|Su et all 120101) used bisim ulation for the control of determinis tic sys- 
tems subject to language equivalence. iMadhusudan & ThiagarajanI (|2002|) inves- 
tigated the control for bisimulation equivalence with respect to a partial specifi- 
cation, in which th e plant is taken to be deterministic and all events are treated 



to be controllable. iTabuadal (|2008|) solved the controller synthesis problem for 



bisimulation equivalence in a wide variety of scenarios including continuous sys- 
tem, hybrid system and DESs, in which the bisi milarity con t roller is given as a 
morphism in the framework of category theory. IZhou et al.l (|2006l) investigated 
the bisimilarity control for nondeterministic plants and nondeterministic specifi- 
cations. A small model theorem was provided to show that a supervisor enforcing 
the bisimulation equivalence between the supervised system and the specifica- 
tion exists if and only if a state controllable automaton exists over the Cartesian 
product of the system and specification stat e spaces. This small m odel theorem 
was also extended for partial observation in (IZhou & Kumaril2007|) . In both these 
works, the existence of a bisimilarity supervisor depends on the existence of a state 
controllable automaton, which is hard to calculate in a systematic way, and the 
complexity of checking the exi stence condition is dou bly exponential. To reduce 
the computational complexity, IZhou & Kumaa (120 lib specialized to determinis- 
tic supervisors. The existence condition for a deterministic bisimilarity supervi- 
sor considering nondeterministic plants and nondeterministic specifications was 
identified. Moreover, the synthesis of deterministic supervisors, feasible supspec- 
ifications and infimal subspecifications were developed as well. iLiu et al.l (120 ll|) 
introduced a simulation-based framework upon which the bisimilarity control for 
nondeterministic plants and nondeterministic specifications was studied. In par- 
ticular, a new scheme based on the simulation relation was proposed for synchro- 
nization which is different from those commonly used synchronization operators 
such as parallel composition and product in the supervisory control literature. 

This paper studies the supervisory control of nondeterministic plants for bisim- 
ulation equivalence with respect to deterministic specifications. Compared to 
the existing literature, the contributions of this paper mainly lie on the follow- 
ing aspects. First, a novel notion of synchronous simulation-based controllabil- 
ity is introduced as a necessary and sufficient condition for the existence of a 
bisimilarity enforcing supervisor. Although it is equivalent to the conditions in 
(IZhou & Kuman. 120111) specialized to deterministic specifications, it provides a 
great insight into what characters should a deterministic specification possesses 
for bisimilarity control. Second, a test algorithm is proposed to verify the exis- 
tence condition, which is sh own to be polynomial c omplexity (less than the com- 
plexity of the conditions in (IZhou & Kuman. 1201 1[) ). When the existence condi- 



tion holds, we further present a systematic way to construct bisimilarity enforcing 
supervisors. Third, since a given specification does always guarantee the exis- 
tence of a bisimilarity enforcing supervisor, a key question arises is how to find a 
maximal permissive specification which enables the synthesis of bisimilarity en- 
forcing supervisors. To answer this question, we investigate the calculation of 
supremal synchronously simulation-based controllable sub- specifications by us- 
ing two different methods. One is based on a recursive algorithm and the other 
directly computes such a sub- specification based on formulas. 

The rest of this paper is organized as follows. Section 2 gives the preliminary 
and problem formulation. Section 3 presents the synthesis of bisimilarity enforc- 
ing supervisors. Section 4 investigates the test algorithm for the existence of a 
bisimilarity enforcing supervisor. Section 5 explores the calculation of maximal 
permissive sub- specifications. This paper concludes with section 6. 

2. Preliminary and Problem Formulation 

2.1. Preliminary Results 

A DES is modeled as a nondeterministic automaton G = {X,ll,XQ,a,Xm), 
where X is the set of states, E is the set of events, a : X x E— >2'^ is the transi- 
tion function, xq is the initial state and X,„ c X is the set of marked states. The 
event set S can be partitioned into S = 2„c U 2^-, where 2„c is the set of uncon- 
trollable events and S^ is the set of controllable events. Let S* be the set of all 
finite strings over S including the empty string e. The transition function a can be 
extended from events to traces, a : X x 2*— >2^, which is defined inductively as: 
for any x e X, a(x, e) = x; for any 5 e E* and cr e E, a{x, scr) = a{a{x, s), a). 
If the transition function is a partial map a : X x E— >X, G is said to be a de- 
terministic automaton. For Xi c X, the notation alxixz means a is restricted 
from a smaller domain Xi xE to 2^^' . Given Xi c X, the subautomaton of G with 
respect to Xi, denoted by Fg{X\), is defined as: Fg{X]) = (Xi,E, .jcq, Q;i,Xmi), 
where Q'i=Q'lxixs ^iid X„,i = XiC\Xm. The active event set at state x is defined as 
Eci^) = {cr e E I a{x,(T) is defined}. Given a string s e E*, the length of the 
string 5, denoted as |5|, is the total numbers of events, and s{i) is the i-th event of 
this string, where 1 < / < l^]. Given Ei c E, a projection Py.^y.i'- 1^*^^\ is used 
to filter a string of events from E to Ei, and it is defined inductively as follows: 
Ps^SiCf) = f; for any cr g E and s e E*, Pi.^-z,^(s(t) = Pi,^i.i(s)cr if cr e Ei, other- 
wise, Pi.^i,^(scr) = Pi,^i,^(s). The language generated by G is defined as L(G) = 
{s e 1,* \ a{xo, s) is defined}, and the marked language generated by G is defined 
as Lm(G) = {5 e E* I a(xo, 5) n X^ ?t 0}. Consider three languages K, Ki,K2 Q E*. 



The Kleene closure of K, denoted as K*, is the language K* = U„gjg^", where 
^" = {e} and for any n > 0, K'^^^ = K"K. The prefix closure of K, denoted as K, 
is the language K = {s e 1.* \ (3t e S*) st e K}. The quotient of ^i with respect to 
K2, denoted as K1/K2, is the language K1/K2 = {s e X* \ (3t e K2) st e K^}. For 
two languages Ki,K2 6 2* with K2 Q Ki i^ 0, let G(Ki,Ki) be a deterministic au- 
tomaton such that L{G(KuKi)) = ^1 and LmiG^KuKi)) = ^2- For a nondeterministic 
G, let det{G) be a minimal deterministic automaton such that L(det(G)) = L{G) 
and L,„{detiG)) = L^iG). 

To mo del the interaction betwee n automata, we introduce parallel composition 
as below (jCassandras & Lafortunell2008 ). 



Definition 1. Given Gi = (Xi,2i,xoi,Q'i,X„,i) and G2 = (X2,'^2, ^02, 0:2, Xm2), the 
parallel composition of Gi and G2 is an automaton 

(J1IIG2 = (Xi XX2,2l U 22>Q'l||25(-'C()l,-''^02);^ml X ^m2); 

where for any xi e Xi, X2 & X2 and cr e 2, the transition function is defined as: 



am2((xi,X2),o-) = ' 



a[(xi,cr) X a2(x2,cr) 

ai(xi,o-)x{x2] 

{xi]xa2(x2,o-) 





o- e Egi(xi) n £0,(^2); 

cr e Eg,{xi) r\ o- e Ei\E2; 

(T e Eg^{x2) n cr e E2\Ei; 

otherwise. 



When Si = 1,2, parallel composition can be understood as a form of control, 
where a supervisor is designed to restrict the behavior of the plant. 

Next we present the synchronized state map, which is used to find the syn- 
chronized state pairs of two automata (|Zhou et al.l 120061) . 



Definition!. GivenGi = (Xi,2i,;coi,ai,X„ji) and G2 = (X2,£2>^02>Q^2,^m2)5 the 
synchronized state map XsynGiG2- ^1 ~^ 2^^ from Gi to G2 is defined as 

^.ynCGzC-^l) = {-^2 G X2 \ {3s G 2*) Xi G a^iXou s) A X2 G Q'2(Xoi, s)}. 

Most literature on supervisory control aims to achieve language equivalence 
between the supervised system and the specification. The necessary and sufficient 
condition for the existence of a language en forcing supervisor is capture d by the 
notion of language controllability as below (|Ramadge & Wonhamlll987|) . 



Definitions. Given G = {X,'L,XQ,a,X„j), a language K c L{G) is said to be 
language controllable with respect to L{G) and 2„c if 

KXuc n L(G) c K. 

As a stronger behavior equiv alence than language equivalence, bisimulation is 
stated as follows (|Milnerl Il989|) . It is known that bisimulation implies language 
equivalence and marked language equivalence, but the converse does not hold. 

Definition 4. Given Gi = (Xi,S, jcobtKi,^mi) and G2 = (X2,2, xo2,Q'2,^m2)5 a 
simulation relation is a binary relation ((> Q X1XX2 such that (xi ,X2) & 4> implies: 



(1) (Vcre2)[Vxieai(xi,(r) 

(2) x\ e Xm\ => a:2 e Xml- 



3^2 e a:2(x2, cr) such that (x^,X2) e (p]; 



If there is a simulation relation ^ QXi XX2 such that (xoi> ^02) s ^, Gi is said 
to be simulated by G2, denoted by Gi <^ G2. For c (Xi U ^2)^, if Gi <:0 G2, 
G2 <,^ Gi and is symmetric, is called a bisimulation relation between Gi and 
G2, denoted by Gi =0 G2. We sometimes omit the subscript (p from ^^ or =0 when 
it is clear from the context. Then we present a motivating example of this paper. 

2.2. A Motivating Example 






Figure 1: multi-robot system (MRS) (Left), d (Middle) and G2(Right) 



Consider a cooperative multi-robot system (MRS) configured in Fig. [T](Left). 
The MRS consists of two robots Ri and R2. Both of them have the same com- 
munication, position, pushing, scent-sensing and frequency- sensing capabilities. 



Furthermore, Ri has color-sensing capabilities, while Rj has shape-sensing capa- 
bility. i?i and i?2 can cooperatively search and clear a dangerous object (the white 
cube) in the workspace. Initially, Ri and R2 are positioned outside the workspace. 
Let i = 1,2. When the work request announces (event wt), Rj is required to enter 
the workspace. Due to actuator limitations, it nondeterministically goes along one 
of two pre-defined paths (event g). In the first path, Ri activates color-sensing 
(event c) and scent-sensing (event o) capabilities to detect the dangerous object; 
whereas in the second path, besides color-sensing and scent-sensing capabilities, 
i?i also activates frequency- sensing (event /) for detection. Similarly, R2 activates 
shape-sensing (event s), scent-sensing and frequency-sensing capabilities in the 
first path, while in the second path it activates shape- sensing and scent-sensing 
capabilities. After detecting the dangerous object, i?, pushes the dangerous object 
outward the workspace (event p), and then returns to the initial position (event r) 
for the next implementation. 






Figure 2: G1IIG2 (First Left), R (Second Left), S 1 (Second Right) and ^2 (First Right) 



The automaton model G, of Ri with alphabet Z, is shown in Fig. [H where 
2^1 = {wi,g,c,o,f,p,r} and £2 = {w2,g, s,o,f, p,r}. Since Ri can not disable 
the host computer to broadcast the work announcement, the event w, is deemed 
uncontrollable, that is w, 6 Ekc,. The rest events are controllable. The cooperative 
behavior of Ri and R2 can be represented as G1IIG2 (Fig. [21 (First Left)). The 
specification R, configured in Fig. |2l is given in order to restrict the cooperative 
behavior G1IIG2. According to the specification, after both Ri and R2 receive the 
work command and go to the workspace, two possible states may be reached 
by the MRS nondeterministically. In the first state, the color sensor, the shape 
sensor and the scent sensors can be adopted to confirm an objective is dangerous. 



However, to save the energy, in the second state only the color sensor and the 
shape sensor can be adopted for dangerous object detection. After the detection, 
the dangerous object is cleared from the workspace. 
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Figure 3: ||,eii,2)G,||5,- (Left), R,, (Middle) and 7?,, (Right) 



For such a MRS, if we use language equivalence as behavior equivalence, 
the control target is to design su pervisors S \ and S 2 such th at L(||,e|i_2) G,||5,) = 
L{R). According to the results in (IWillner & Heymannlll99lh . this problem can be 
solved by designing 5, such that L(G,||5;) = Pi,iui.2-^i.,(LiR))- Since Pi^uZz^zX^W) 
is language controllable with respect to L(G,) and £„„, we can construct 5, as 
shown in Fig. [21 So the supervised system ILgji,2|G,||5,- (Fig. [3] (Left)) is lan- 
guage equivalent to L{R). However, it can be seen that ||,e(i,2|G,||5, enables all 
the color sensor, the shape sensor and the scent sensors for dangerous object de- 
tection, which violates the energy saving requirement in the specification. Hence 
langauge equivalence is not adequate for this case, which calls for the use of bisim- 
ulation as behavior equivalence. That is, we need design supervisor S'. such that 
I 2iG,| |5^. = R. For suc h a bisimilarity control problem, a promising method 
Karimadini & Linl l201lh is to decompose the global specification R into sub- 
specifications Rs- with alphabet S, for i?, (Fig. (3]) such that ||;e{i,2)^.v, = R . If we 
can design S'. such that Gi\\S'. = R.,., then ||;e{i,2)G;l|5; = R. In particular, R^^ is 
deterministic, which motivates us to consider the bisimilarity control for deter- 
ministic specifications in this paper. 

2.3. Problem Formulation 

In the rest of paper, unless otherwise stated we will use G = {X, 2, a, Xq, X,„), 
R = (Q, E, 6, qo, Q,n) and S = (Y, l.,/3,yo, ¥„) to denote the nondeterministic plant. 
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the detenninistic specification and the supervisor (possibly nondeterministic) re- 
spectively. Next we formalize the notion of bisimilarity enforcing supervisor, 
which always enables all uncontrollable events and enforces bisimilarity between 
the supervised system and the specification. 

Definition 5. Given a plant G and a specification R, a supervisor S is said to be a 
bisimilarity enforcing supervisor for G and R if: 

(1) There is a bisimulation relation (p such that G\\S =^ R; 

This paper aims to solve the following problems. 

Problem 1: Given a nondeterministic plant G and a deterministic specification 
R, what condition guarantees the existence of a bisimilarity enforcing supervisor 
S for G and R1 

Problem 2: How to check this condition effectively? 

Problem 3: If the condition is satisfied, how to construct a bisimilarity en- 
forcing supervisor S ? 

Problem 4: If the condition is not satisfied, how to obtain a maximal per- 
missive sub-specification which enables the synthesis of bisimilarity enforcing 
supervisors? 

3. Supervisory Control for Bisimilarity 

This section investigates Problem 1 and Problem 3, also called the bisimilarity 
enforcing supervisor synthesis problem. We begin with the existence condition 
of a bisimilarity enforcing supervisor. For sufficiency, since we need design a 
bisimilarity enforcing supervisor, the following concept is introduced. 

Definition 6. Given Gi = (Xi,'L,xoi,ai,Xnii), the uncontrollable augment au- 
tomaton Gi„c of Gi is defined as: 

Glue = (Xi U {Dd},1,,xoi,auc,Xmi), 

where for any x e Xi U {Dd} and cr el,: 

ai(x,o-) o- e Eciix); 

aucix, cr) = { {Dd} (cr e E^A^dC-^)) y (x = Dd A cr e luc); 
otherwise. 



We can see that an uncontrollable augment automaton can be employed in the 
construction of bisimilarity enforcing supervisors because it naturally satisfies the 
condition (2) required for a bisimilarity enforcing supervisor (Definition |5]). 

On the other side, for necessity we have G\\S = R, which implies R < G\\S < 
G. Hence R < G is a necessary condition to guarantee the existence of a bisim- 
ilarity enforcing supervisor. Moreover, G\\S = R implies L{G\\S) = L(R), thus 
language controllability of the specification is also a necessary condition for the 
existence of a bisimilarity enforcing supervisor. To satisfy those necessary condi- 
tions, we will introduce synchronous simulation-based controllability as a prop- 
erty of the specification. Before that, we need the following concept. 

Definition 7. Given Gi = {Xi,'Z,xoi,ai,X,„i), G2 = (X2,S, Xo2,Q'2,^m2) and a 
simulation relation (p such that Gi ^^ G2, ((> is called a synchronous simulation 
relation from Gi to G2 if (^1, ^2) e for any xi e Xi and X2 6 XsynG,G2(^i)- 

If there exists a synchronous simulation relation from Gi to G2, Gi is said 
to be synchronously simulated by G2, denoted as Gi <:.v>w^ G2. For a determin- 
istic specification R, if R is synchronously simulated by G, then G possesses the 
branches which are bisimilar to R and the branches which are outside L{R). Hence 
it tums out that G\\R = R.lfR is further language controllable with respect to L{G) 
and Z„c, then G\\R = G\\Ruc, implying that R^c is a candidate of bisimilarity en- 
forcing supervisor. Base on this observation, we provide the following concept. 

Definition 8. Given Gi = (Xi, Z, xouauX^i) and G2 = (X2, S, X02, Q'2, ^m2). Gi is 
said to be synchronously simulation-based controllable with respect to G2 and l^uc 
if it satisfies: 

(1) There is a synchronous simulation relation such that Gi <iv„0 G2; 

(2) L(Gi) is language controllable with respect to L(G2) and S„c- 

It is immediate to see that when R is synchronously simulation-based con- 
trollable with respect to G and Z„f , it not only satisfies the necessary conditions 
(R < G and language controllability of L{R)) for the existence of a bisimilar- 
ity enforcing supervisor but also enables the development of 7?„c as a bisimilarity 
enforcing supervisor to accomplish the sufficiency of the existence condition. 

Then we present a necessary and sufficient condition for the existence of a 
bisimilarity enforcing supervisor. 

Theorem 1. Given a plant G and a deterministic specification R, there exists a 
bisimilarity enforcing supervisor S for G and R if and only ifR is synchronously 
simulation-based controllable with respect to G and S„t- 



Proof. For sufficiency, we clioose Rue as tlie supervisor. Let G\\R = (X\\,l,, (xq, qo), 
a\i,X,„\\). Consider a reiation 0i = {{{x, q), q) \ {x, q) e X\\}. We sliow tfiat 0i U 0[^ 
is a bisimuiation reiation from G\\R to R. First note tliat ((a:o, (?o). <?o) s (p\. Piclc 
((x,q),q) e (pi and {x',q') e a\\{{x,q),o-), wtiere cr e 2. By tlie definition of 
parallel composition, we have q' 6 6{q, a), which implies {{x' , q'), q') e 0i . When 
{x',q') e X,„||, then ^' e 2^. On the other side, pick (q,{x,q)) e 0^^ and q' G 
5(^, cr). Since (x, q) e X|| and there is a synchronous simulation relation such that 
R <syn<f, G, we have {q, x) e 0. Then there is x' e a(x, cr) such that (q', x') e (p, and 
if ^' e Qm, then .x:' e X^. It follows that (x',q') e a\\((x,q),cr) and (x',q') e X,„\i 
when ^' G Q,„. That is, (q',(x',q')) e (p~^ . Hence G||i? =0iu<^-' ^- Moreover 
from determinism and language controllability of R and the fact that Rue adds 
every state a transition to D^ through undefined uncontrollable events does not 
change the result of parallel composition, we have G\\Ruc = G\\R. It implies that 

G\\Ruc -,/,iU0-i '^• 

For necessity, suppose there is a bisimilarity enforcing supervisor S for G 
and R. Then, there is a bisimuiation relation 0' = U cp'^ such that R <^ G\\S 
andG||5 <^-i R. Let G||5 = {XG\\s,^,{xQ,yo),aG\\s,X,nG\\s)- Consider a relation 
(pi = {{q, x) e QxX\ {3y 6 Y) {q, {x,y)) e (p). We show that (pi is a synchronous 
simulation relation from R to G. By the definition of parallel composition, 0i is 
a simulation relation from R to G. Assume there is q e Q and x' e XsynRcil) 
such that {q,x') i (pi. Hence there exists 5 e S* such that q e 6(qo, s) and 
x' e a(xo, s). Since R <^ G\\S , for q e 6(qo, s), there is (x,y) e aG\\s{(xo,yo), s) 
such that (q,(x,y)) e (p, which implies y e /3{yo, s) and in turn implies ix',y) e 
0'Gii5((-^o,3'o), s). Because G\\S <^-i R, for (x',y) e aG\\s({xo,yo), s), there is q' e 
6(qo,s) such that ((x',y),q') e (p~^ . Since R is deterministic, we have q = q'. 
Therefore, {q, (x',y)) e (p, which implies (q, x') e 0i. It introduces a contradiction. 
Then the assumption is not correct. That is, for any q e Q and x e XsynRcUl)-, 
(q, x) e (pi. So R <synii,, G. Next we show language controllability of L(R). Since a 
bisimilarity enforcing supervisor S enables all uncontrollable events at each state, 
L{G\\S) is language controllable with respect to L{G) and S„c, further, G\\S = R 
implies L{G\\S) = L{R). It follows that L{R) is language controllable w.r.t. L(G) 
and l,uc- So R is synchronously simulation-based controllable w.r.t. G and S„c- 

Remark 1. Theorem\l}shows that if a deterministic R is synchronously simulation- 
based controllable with respect to G and "Luc, Rue is a bisimilarity enforcing su- 
pervisor for G and R. Here synchronous simulation-based controllability of R 
is equivalent to the conditions (G\\det(R) = R and language control lability of 



L(R)) specialized to deterministic specifications nZhou & Kuman \201l\) to ensure 
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the existence of a deterministic bisimilarity supervisor. However, the notion of 
synchronous simulation-b ased controllability offe rs computation advantages com- 
pared to the conditions in nZhou & Kuman \201l\) (See section 4). Moreover, it en- 
ables the calculation of maximal permissive sub-specification when the existence 
condition for a bisimilarity enforcing supervisor does not hold (See section 5). 




Figure 4; S [ (First Left), S'^ (Second Left), Gi\\S[ (Second Right) and GiWS'^ (First Right) 



Now we revisit the motivating example. 



Example 1. Let i= 1,2. We need design supervisor S '■ such that G,||5 [ = Rs^. Since 
Rs2 is deterministic and synchronously simulation-based controllable with respect 
to G2 and Y.uc2={w2], from TheoremUJwe can design (T?^^),,^ to be S'2 (Fig. ^(Sec- 
ond Left)). The supervised system G2II5 2 is shown in Fig. ^( First Right) and it can 

be seen thatG2\\S'^=^^j^-iRs2, where 0={(<?o, (-^o'3'o))' (^'i' (-^I'/i))' (^2' (4' 3^2))' (^2' 
{x'T^,y'^),{q'y{x\,y'^)),{q'^,{x'^,y\))}. In addition, S\ for G] can be desig ned as 
shown in Fig. |?] (First Left) according to our results in iSun dr Lin. \201Zl Then 
Gi\\S[ = Rs^ (Fig. ^(Second Right)). As a result, ILeji,2|G,||5^ = R. 



4. A Test Algorithm for the Existence of a Bisimilarity Enforcing Supervisor 

To solve Problem 2, an algorithm is proposed in this section to test the exis- 
tence of a bisimilarity enforcing supervisor. We start by introducing synchronously 
simulation-based controllable product, which will be used in the test algorithm. 
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Definition 9. Given Gi = (Xi,'Z,xoi,ai,X„ti) and Gj = (X2,2, A:o2,<3'2,^m2), the 
synchronously simulation-based controllable product of Gi and G2 is an automa- 
ton 

G[\\syncG2 = ((Xi XX2) U {qd, q^},!^, ai2, (XQI, Xq2), Xml X X,„2), 

where for any (xi, ^2) e Xi x X2 and cr el,, the transition function is defined as: 



an((xi,X2),o-) 



' Qri(xi,cr)XQ'2(-«2,cr) cr € £gi(-^i) H ^Gjfe); 
qd o-€EGi(xi)\EG,(x2y, 

otherwise. 



Since synchronous simulation-based controllability is a necessary and suffi- 
cient condition for the existence of a bisimilarity enforcing supervisor, the follow- 
ing algorithm for testing synchronous simulation-based controllability of R also 
verifies the existence of a bisimilarity enforcing supervisor for G and R. 

Algorithm 1. Given a plant G and a deterministic specification R, the algorithm 
for testing synchronous simulation-based controllability of R with respect to G 
and Z„c is described as below. 

Step 1: Obtain R\lyncG = (X,j,,c,2,Q',w-,(<?o,^o),^m,v>«c); 

Step 2: R is synchronously simulated-based controllable with respect to G and 
Z„c if and only if q^ and q'^ are not reachable in R\\sy„cG and x € X„ for any 
reachable state (q, x) in RW^yncG with q 6 Q^. 

Theorem 2. Algorithm 1 is correct. 

Proof. From the definition of synchronously simulation-based controllable prod- 
uct, it is obvious that any (q, x) satisfying x e XsynRciq) is a state reachable in 
RWsyncG, and any {q,x) e X,y„,\{q^,q'J satisfies that x e X,y„RG(q)- For syn- 
chronous simulation-based controllability to hold, condition (1) and condition (2) 
of Definition [8] should be satisfied. On the other hand, if condition (1) is violated, 
there are two cases. Case 1: there exist {q, x) and cr e 1, such that x e XsynRciq) 
and cr e ER{q)\EG(x). So q^ e async((q,x),cr). Case 2: there is (q,x) such 
that X e XsynRGiq) and x i X,„ when q e Q,„. If condition (2) is violated, i.e. 
there exist {q, x) and cr e Z„,. such that x e X^ynRGiq) and cr e EG(x)\E]i(q). So 
q'^ e asynciiq, x), cr). It follows that q^ and q'^ are reachable in R\\syncG ov x i X,„ 
for any reachable state (q,x) in i?||^.y„,.G with ^ 6 Q^ iff ^ is not synchronously 
simulated-based controllable w.r.t. G and luc- 
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Remark 2. Algorithm 1 can be terminated because the state sets and the event 
sets of R and G are finite. Since G is nondeterministic and R is deterministic, 
their numbers of transitions are 0(|Xp|E|) and 0(|2||2|) respectively. Then the 
complexity of constructing R\\syncG is 0{\X^\Q^\L\). In addition, the complexity o f 
checking the reachability of qd and q'^ in RW^yncG is 0{log{\X\\Q\)) nJoneA u975|) . 
So the complexity of Algorithm 1 is 0{\X^\Q^\L\). That is, the algorithm for test- 
ing the existence of a bisim ilarity enforcing supervisor has polynomial complex- 
ity. \Zhou (sr Kuman A2011 } used the conditions such as G\\det{R) = R and L{R) 
is language controllable with respect to L{G) and Hue to guarantee the existence 
of a deterministic supervisor that achieves bisimulation equivalence. The com- 
plexity of verifying those conditions wit h respect to determinis tic specifications is 
0{\X\^\Q\^\L\^log{\X\\Q\^)) (Remark! in ^hou Gr KurnaX\201l\) ). Hence, we argue 
that Algorithm 1 is more effective. 



We provide the following example to illustrate the algorithm for checking syn- 
chronous simulation-based controllability. 




Figure 5: Plant G (Left), Specification R (Middle) and R\\syncG (Right) of Example 2 



Example 2. Consider a plant G and a specification R with S„c = {b, e] config- 
ured in Fig. \5\ We can see that R is not synchronously simulation-based con- 
trollable with respect to G and 'Luc because for f e L{G) n L{R) and e e 2„c, 
fe e L{G)\L{R), and e is defined at q-j but not x^ e XsynRciqi)- 

Next we use Algorithm\l\to test synchronously simulation-based controllability 
ofR. The synchronously simulation-based controllable product R\\syncG is shown 
in Fig. ^(Right). It can be seen that q^ and q'^ are reachable in RW^yncG. Hence R 
is not synchronously simulation-based controllable with respect to G and 2,,^. 
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5. Supremal Synchronously Simulation-Based Controllable Sub-specifications 

This section studies Problem 4, i.e., the synthesis of supremal synchronously 
simulation-based controllable sub-specifications, because a synchronous simulation- 
based controllable sub- specification ensures the existence of a bisimilarity enforc- 
ing supervisor. First we introduce the notion of supremal. 

Given (A, <) and A' c A, where <c A x A is a transitive and reflexive relation 
over A, X e Ais said to be a supremal of A', denoted by supA', if it satisfies: 

(l)\/yeA':y<x- 

(2) \/z e A : [\fy e A' : y < z] ^ [x < z]. 

When we define the supremal of A', a set (A, <) should be given with respect 
to the element of A'. If the elements of A' are languages, the set (2^ , c) should be 
applied because 2^* includes all languages over alphabet S and language inclusion 
fully captures the comparison between two languages. However, if the elements of 
A' are automata, the set {B, <) should be applied, where 5 is a full set of automata 
with alphabet S and <c B x B is the simulation relation, since B includes all 
automata over alphabet S and the simulation relation is adequate for automata 
(possibly nondeterministic) comparison. 

We consider the class of sub-specifications that satisfies synchronous simulation- 
based controllability as below. 

Ci := {R' \ R' is deterministic, R' < R and R' is synchronous 
simulation - based controllable w.r.t. G and "Luc} 

It can be seen that the supremal of Ci with respect to (B, <) is a supremal 
synchronously simulation-based controllable sub-specification. However, it is 
difficult to directly calculate the supremal of Ci because C] is not closed unde r 



the upper bound (joi^i) operator with respect to (B, <) (Zh ou & Kumaj . l2011r) 



To encounter this problem, we would like to convert the automaton set Ci into 
equivalently expressed language sets whi ch are closed under the upper b ound (set 



union) operator with respect to (2 , c) (|Cassandras & LafortuneLl2008|) . Next we 



do this conversion item by item. First, for two deterministic automata R' and 
R, the condition R' < R is equivalent to the language condition L(R') c L{R) 
and L,„(R') c L^iR). Second, language controllability required in synchronous 
simulation-based controllability is naturally a language description. It remains 
to convert synchronous simulation relation required in synchronous simulation- 
based controllability to an equivalent language condition. To complete the con- 
version, we need the following concept. 
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Definition 10. Given G = (X, E, xq, a, X^), the synchronous state merger operator 
on G is defined as an automaton 

where Xsy„ = 2^, X^syn = {Yi \ Yi Q X^}, and for any A G X^yn and cr e S, the 
transition function is defined as: 



a,yniA, 0-) = 



(JjceA^ix, a-) a-e n^^AEcix); 
undefined otherwise. 



By using F^yniG), the synchronous simulation relation from a deterministic 
automaton Gi to a plant G is equivalent to language conditions L(Gi ) c L{Fsyn{G)) 
and Lm{G\) c Lm{F syn{G)), which is illustrated by the following proposition. 

Proposition 1. Given a plant G and a deterministic automaton G\, there is a 
synchronous simulation relation (p such that Gi <syn4, G ijf L{G]) Q L{Fsyn{G)) 
andLm(Gi) c Lm(F,yn(G)). 

Proof. Let F,3,„(G) = iXf,I.,{xQ},af,X,„f), Gi = (Xi,S, jcoi,ai,X„i) and Gl = 
GillG = (Xl,!,, (xoi, xq), aL,XmL). For sufficiency, consider a relation = {(xi,x) e 
Xi X X \ X e X,;ynQ^Q{xi)}. We show that is a synchronous simulation relation 
from Gl to G. First note that (.scqi , .scq) e 0. Pick {xi,x) e cp and x[ e ai{xi,cr), 
where cr e 2. Since x e Xsyncci^i)^ there is 5 e S* such that xi e ai(X[n, s) and 
X e a(xo, s). Hence s, scr e L{G\), moreover, L(Gi) c L{Fsyn{G)). It follows that 
s, scr e L{Fsyn{G)). Therefore there exist A = af{{xQ}, s) and Ai = o-yCA, cr). By 
the definition of F^yniG), we have x e A and cr e rix"eAEG{x"), which implies 
there is x' e a(x,o-) such that x' e XsynCici^'i), i.e. (x[,x') e (f). Next we show 
that x\ e Xmi implies x e X^. Because X\ e X^i, we have s e L^iGi), in addi- 
tion, Lm{G\) c Lm(Fsyn(G)). It foUows s G LmiF syn{G)), that is A c Xm, implying 

X S Xm. So Gl ^jy,,^ G. 

For necessity, the induction method is used to prove s e L{Fsyn{G)) for any 
s e L(Gy), that is L(Gi) c L{F,yn{G)). (1) |5| = 0, then 5 = 6. It is obvious 
that 6 e L(Fsyn(G)). (2) Assume when l^l = n, we have s e L(Fsyn(G)) for any 
5 e L(Gi). (3) |5| = n + 1. Let s = sicr, where cr e 2. Because sicr e L{G\) 
and Gl is deterministic, for any xj e ai(.'Coi, ^i), we have cr e E^ife)- Since 
Gl <syn(i, G, for any .jc" g ^(.jco, 5i), we have (jc2,jc") g (j). It follows that a G 
'^x"eQ'(;co,.vi)^G(-^")- In addition, |5i| = n implies Si G L{Fsyn{G)), which in turn 
implies there is Ai = af{{xQ},Si) such that x" e A^. Hence A2 = a/(Ai,cr) = 
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^x"eAiO:(.x",(T), that is, Sycr 6 L{Fsyn{G)). Therefore for any s e L(Gi), we have 
s e L{F,y„{G)), i.e. L{G,) Q L{F,,y,(G)). Next we show L,„(Gi) c L„,iF,UG)) by 
proving 5' e Lm{Fsyn{G)) for any i'' e Lm{G\). Since i'' e Lm(Gi), there is X4 G 
aiCjcoi, i'O such that X4 e X,ni. Because Gi <vw,/. G implies (x4,x"') e for any 
x'" e a{xo, s'), we have x'" e X,„. Definition of F^yniG) implies s' e Lm{F syn{G)), 
i.e. L„,(Gi) c L^{F,y„{G)). 

Hence the automaton set C\ can be converted into the following langauge sets: 

C2 := {L\ Q L(R) n L(FsyniG)) | Li = Li and L\ is language controllable 

w.r.t. L{G) and 2„c}; 
C3 := {Li n L,„(i?) n L„,{F,y,{G)) \ U e C2}. 

The computation of supremal synchronously simulation-based controllable 
sub-specification, i.e., supC\, with respect to (5, <), can be achieved through the 
computation of the supremal languages of C2 and C3 with respect to (2^* , c) as 
shown in the following theorem. 

Theorem 3. Given a plant G and a deterministic specification R, if supC2 4" 0, 
then G(,apc^^supCi) e supCx. 

Proof. Let Li=supC2i^Q and L\=supC2C\L,„{R)C^L,„{Fsyn{G))=supCi,. First we 
show that G(L,_/,')eCi. Since Li=supC2, we have L1GC2, which implies Li is 
language controllable w.r.t. L{G) and l,uc and LiQL{F.,y„{G)). In addition, defi- 
nition of Lj implies L[QL„,(Fsyn(G)). From Proposition [U it follows that G(^Li,l') 
is synchronously simulation-based controllable w.r.t. G and 'Luc- Since LieC2 
also implies LiQL{R) and L\QLm{R) and R and G(l,,l') ^^^ deterministic, we have 
G{LuL')<R- Therefore, G(i^^i')eCi. Next we show i\\dXR\<G(i^i') for any R\ e Ci. 
Suppose there is i?ieCi such that i?i74G(LjX'). Since i?ieCi, it implies i?i<:7?, more- 
over, i?i and 7? are deterministic. It follows that L{Ri)QL{R) and Lm{Ri)QL,n{R)- In 
addition, RieCi also implies synchronous simulation-based controllability of i?i. 
Hence L{R\) is language controllable with respect to L(G) and Luc and there is a 
synchronous simulation relation (p such that Ri<syn^G implying L(i?i)cL(Fvy„(G)) 
and Lm{R\)QL,n{F syn{G)) according to Proposition [T] Hence L{R\)eC2- More- 
over, Lm{R\)QL{R]). By the definition of supremal, we have L{R])QsupC2=Li 
and Lfn{Ri)QsupC3=L[, further, Ri and G^hm) ^^e deterministic. It follows that 
Ri<G(LuL'), which introduces a contradiction. Hence, the assumption is not cor- 
rect. That is, we have R\<G(LuL\) for any RieCi. So G(L,,L\)=G(^supCi,supCi)^supC],. 
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Next we present a recursive algorithm for computing the supremal synchronously 
simulation-based controllable sub-specification. 

Algorithm 2. Given a plant G and a deterministic specification R, the algo- 
rithm for computing the supremal synchronously simulation-based controllable 
sub-specification with respect to G and 'Zuc is described as follows: 

Step 1: Obtain det{G) = {Xdet,^,Xodet,adet,^mdet), G' = (F,v«(G)||7?)„c = 
(X', S, x'^, a',X'J and G" = G'\\ det{G) = {X", S, x'^, a",X;;j; 

Step 2: Zo := {(x[,X2) e X' x X^et I x\ = Dd}; 

Step 3: \/k > 0, Z^+i = Z^ U {z e X" - Zt | {3cr e !„,) a"{z, cr) e Zt}; 

Step 4: If Z;t+i = Z]^ i^ Z, then the subautomaton Fq>'{X" - Z/,) of G" is 
a supremal synchronously simulation-based controllable sub-specification with 
respect to G and 2„( . 

Theorem 4. Algorithm^is correct. 

Proof. Consider i?"=FG"(X"-Z^)=(2", 2, q'^;, 6", Q',IX where Z^+i =Z,,i^Z with k> 
0. First we show that L{R")eC2- Definition of Z^ implies L{R") is language con- 
trollable w.r.t. L{G) and S„o and the fact that L{det{G))=L{G) implies L{R")QL{F,yn 
iG))r\L{R) and L,„{R")cL,n{F,yniG))r\L,„{R). It follows that L(R")eC2. Next we 
show that L2QL{R") for any L2eC2. Suppose there is L2eC2 such that L2^L(R"), 
that is, there is seL* such that seL2\L{R"). Since siL{R"), there exists i'lef^} such 
that {x\,X[)eZk', where x\ea'{x'Q, si), xieadet(xodet, ■^i) and k'=0, \,- --k. Hence 
there is S2 e £*£. such that x'2&a'(x[, S2) and X2&adet(xi, ^2) with {x!^, X2)&Zo, which 
implies siS2eL{G)\L{F,y„(G)\\R). Moreover, L{F,y„{G)\\R)=L(F,y„{G))nL(R) and 
L2QL{Fsyn{G))C\L{R). It follows that s\S2iL2. If S2=e, then si^L^, which im- 
plies siL2. If S2i^e, then 5i52(l) • • • S2{\s2\ - 1)^^2 because L2 is language con- 
trollable w.r.t. L{G) and 'Luc, S2{\s2\)&Luc and siS2&L{G)\L2. It in turn follows 
that SiS2il)- ■ •52(1*2! - 2)^L2, SiS2(l)- ■ •52(1*2! - 3)^L2, • • • , SiiL2. Hence siL2. 
So there is a contradiction, which implies the assumption is not correct. Then 
L2QL{R") for any L2EC2. As a result, L{R")=supC2- It remains to show that 
L,„{R")=supCi,. By the definition ofR" and the fact that L^iF syniG))QLm{G), we 
have L^{R")=L{R")r\L^{F,yn{G))r\L^{R)=supC2fMm {F ,yn{G))(M^{R)=supC^. It 
follows that R" is a deterministic automaton such that L(R")=supC2 and L,„(R") 
= supCs. By Theorem[3j we have R"esupCi. 

Remark 3. Algorithm^can be terminated because the state set X" is finite. Be- 
cause the state numbers of F^yniG) and det{G) are both 0(2'^'). Therefore, the 
complexity of Algorithm's 0{2'^^^\Q\\L\). 
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Furthermore, the supremal synchronously simulation-based controllable sub- 
specification can be calculated by formulas without applying the recursive algo- 
rithm. 



Theorem 5. Given a plant G and a deterministic specification R, if M = L(R) n 

J^{Fsyn{G)) - [(^G) - L{R) n L(F^j,„(G)))/Z*^]E* i^ 0, then G^mm') '■^ '^ supremal 
synchronously simulation-based controllable sub-specification with respect to G 
and 2„o where M' = M n L^iR) n L,n{F ^yniG)). 



Proof. According to Theorem 1 and Theorem 2 in ([Brandt et al.l Il990|) . we ob- 
tain supC2 = L(R) n L(FUG)) - [(L(G) - L(R) n L(FUG)))/I.IW = M. It 
follows that M' = supCi,. From Theorem H] G(m,m') i^ ^ supremal synchronously 
simulation-based controllable sub-specification w.r.t. G and 2„c- 

Now we revisit Example |2l 
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Figure 6: F,„,(G) (Left) and £/ef(G) (Right) 



Example 3. Example |2] indicates that R is not synchronously simulation-based 
controllable with respect to G and 2„t. Thus, we would like to calculate the supre- 
mal synchronously simulation-based controllable sub-specification with respect 
to G and 'Luc by the proposed methods. 

(1) Recursive Method: From Algorithm^ we establish F^yniG) and det(G), 
shown in Fig. ^ Then G"=(X",'L,x'^,a",X"j)={Fsy„(G)\\R)uc\\det(G) is achieved 
in (Fig. ^(Left)). We obtain Zo={(Dd, x\^)}, Zi=ZoU{({xj, xg}, q-j, x'^), {{X4}, q^, x'^)} 
andZ2=ZiU{({x2}, qi, x'2)}=Z^. Therefore, the supremal synchronously simulation- 
based controllable sub-specification Fg"(X"-Z2) is obtained in Fig. [2 

(2) Formula-based Method: First we construct F„n(.G), which can be seen in 
Fig. ^(Left). Hence L{R) n L(F^v„(G)) = (d(fm -\- eg)n + cfgn -\- fgn)*ab. Thus, 
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M = L(i?) nL(F,3,„(G))-[(L(G)-L(i?)nL(F,,„(G)))/£:jS*=(J(/m + e^)n + c/^n 
+fgn)*ab-(d{fm + eg)n + c/^n + fgn)*ablf -{d{fm + eg)n + cfgn + fgnYoL*- 
{d{fm+eg)n+cfgn+fgn)*fT' ={d{fm + e^)n + c/^n)* ^ QandM' = MfM,n{R)r\ 
LmiFsyn(G))={d{fm+eg)n+cfgn)*{d{fm+eg)+cfg). The supremal synchronously 
simulation-based controllable sub-specification G(mm')-Pg"{^" ~'^2) is achieved 
in Fig. ^( Right). 

6. Conclusion 

In this paper, we investigated the bisimilarity enforcing supervisory control 
of nondeterministic plants for deterministic specifications. A necessary and suf- 
ficient condition for the existence of a bisimilarity enforcing supervisor was de- 
duced from synchronous simulation-based controllability of the specification, which 
can be verified by a polynomial algorithm. For those specifications fulling the ex- 
istence condition, a bisimilarity enforcing supervisor has been constructed. Con- 
trarily, when the existence condition does not hold, a recursive method and a 
formula-based method have been developed to calculate the maximal permissive 
sub-specifications. 
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